@blamejs/core 0.12.62 → 0.12.64

package/CHANGELOG.md

@@ -8,6 +8,10 @@ upgrading across more than a few patches at a time.
 
 ## v0.12.x
 
+- v0.12.64 (2026-05-25) — **`b.jsonSchema` — JSON Schema 2020-12 validation.** Validate JSON against a JSON Schema 2020-12 document — the dialect OpenAPI 3.1 adopted and the most widely implemented schema language. b.jsonSchema.compile(schema) returns a reusable validator; b.jsonSchema.validate(schema, instance) compiles and runs in one call, returning { valid, errors } where each error names the failing instance location, keyword, and schema path. The full 2020-12 vocabulary is supported: every applicator (allOf / anyOf / oneOf / not / if-then-else, properties / patternProperties / additionalProperties / prefixItems / items / contains), the annotation-aware unevaluatedProperties / unevaluatedItems, every assertion keyword, and reference resolution ($ref / $anchor / $dynamicRef / $dynamicAnchor / $defs / $id base URIs). format is an annotation by default (opt in to assertion with assertFormat). External references resolve through an operator-supplied schema map — never a network fetch. Verified against the official JSON-Schema-Test-Suite (1292 of 1295 draft2020-12 cases; the remainder need the bundled dialect metaschema or $vocabulary selection, both opt-in). This is the standards-track counterpart to the fluent b.safeSchema builder and the portable b.jtd. **Added:** *`b.jsonSchema` — JSON Schema 2020-12* — `compile(schema, opts)` returns `{ validate, isValid }`; `validate(schema, instance, opts)` and `isValid(schema, instance, opts)` compile and run in one call. `validate` returns `{ valid, errors }`, each error a `{ instancePath, keyword, schemaPath, message }`. The full 2020-12 vocabulary is implemented — applicators, annotation-aware `unevaluatedProperties` / `unevaluatedItems`, every assertion keyword, and `$ref` / `$anchor` / `$dynamicRef` / `$dynamicAnchor` / `$defs` / `$id` resolution. `format` is an annotation by default (`assertFormat: true` to assert). External references resolve through `opts.schemas` (a URI→schema map), never a network fetch. Reach for it when the schema is an existing JSON Schema document (an API contract, OpenAPI component, or config schema); `b.safeSchema` remains the fluent in-process builder and `b.jtd` the portable codegen-friendly option. Validating a schema document against the dialect metaschema requires supplying that metaschema via `opts.schemas`, and `$vocabulary`-based keyword selection is not honored (every standard keyword always asserts).
+
+- v0.12.63 (2026-05-25) — **`b.cloudEvents` gains the JSON event format, batch, and the HTTP binding.** b.cloudEvents grows beyond wrap / parse into a full CloudEvents 1.0.2 surface. b.cloudEvents.validate / isValid check an envelope against the spec without throwing (the non-throwing companion to parse). toJSON / fromJSON serialize and parse the JSON event format, and toJSONBatch / fromJSONBatch handle the JSON batch format; untrusted bodies parse through the framework's bounded, prototype-pollution-safe JSON reader. The new http.* binding speaks both content modes the spec defines — binary mode spreads context attributes across percent-encoded ce-* headers with the data in the body, structured mode carries the whole event as application/cloudevents+json — plus the batch mode, and http.decode auto-detects the incoming mode from Content-Type exactly as a conformant receiver does. Verified against the spec's normative example events. **Added:** *`b.cloudEvents` JSON event format, batch, and HTTP binding* — `validate` / `isValid` report spec violations without throwing (the non-throwing companion to `parse`). `toJSON` / `fromJSON` and `toJSONBatch` / `fromJSONBatch` serialize and parse the JSON event and batch formats over the existing envelope shape. `http.encodeBinary` / `http.encodeStructured` / `http.encodeBatch` render the three HTTP content modes — binary spreads attributes across percent-encoded `ce-*` headers, structured and batched carry the event(s) as `application/cloudevents+json` / `application/cloudevents-batch+json` — and `http.decode` parses a request back into an envelope (or array) by auto-detecting the mode from `Content-Type`. `b.jtd` or `b.safeSchema` still validate the event's `data` payload. **Fixed:** *`b.csp.build` accepts `fenced-frame-src` and `webrtc`* — The CSP3 `fenced-frame-src` directive — which the default security-headers policy emits to block `<fencedframe>` embeds — was missing from the builder's recognized-directive set, so the default policy could not round-trip through `b.csp.build` (it threw `csp/unknown-directive`). Both `fenced-frame-src` and the CSP3 `webrtc` directive are now recognized.
+
 - v0.12.62 (2026-05-26) — **`b.jtd` — JSON Type Definition validation (RFC 8927).** Validate JSON against a JSON Type Definition schema (RFC 8927) — a small, portable, cross-implementation schema language, the interop-friendly companion to the framework's fluent b.safeSchema builder. b.jtd.validate(schema, instance) returns an array of { instancePath, schemaPath } errors (empty = valid); b.jtd.isValid is the boolean form. All eight schema forms are supported — empty, type, enum, elements, properties (with optional / additional properties and nullable), values, discriminator (with mapping), and ref (with definitions) — including the integer-range and RFC 3339 timestamp types. A malformed schema is rejected at compile time with jtd/bad-schema rather than silently mis-validating. Verified against the official json-typedef-spec suites: all 316 validation cases and all 49 invalid-schema cases. **Added:** *`b.jtd.validate(schema, instance)` / `b.jtd.isValid(schema, instance)`* — `validate` returns the RFC 8927 error list — each `{ instancePath, schemaPath }` naming the offending value and the broken schema rule — and `isValid` is the boolean convenience form. Supports every JTD form and type: the numeric types enforce their exact ranges (int8 … uint32, float32 / float64), `timestamp` requires an RFC 3339 date-time, `properties` honours `optionalProperties` / `additionalProperties` / `nullable`, and `discriminator` selects a `mapping` schema by a tag property. The schema is checked for well-formedness before validation, so unknown keywords, multiple forms, bad refs, or a discriminator over a non-properties mapping all throw `jtd/bad-schema`. Use JTD for schemas you share across implementations or generate code from; use `b.safeSchema` for in-process fluent validation.
 
 - v0.12.61 (2026-05-26) — **`b.jsonPath` — JSONPath query (RFC 9535).** A full RFC 9535 JSONPath query evaluator, complementing the framework's JSONPath guards (which screen path strings). b.jsonPath.query(doc, path) compiles a path and returns the matched node values; b.jsonPath.paths returns their normalized locations. The complete surface is implemented: name / wildcard / index / slice selectors, descendant segments (..), filter selectors (?) with comparison and logical operators, relative (@) and absolute ($) embedded queries, and the five standard functions length / count / match / search / value — with the spec's well-typedness rules enforced at compile time so a malformed or ill-typed query is rejected rather than silently mis-evaluated. Descendant walks are node-capped to bound work on hostile input. Verified against all 703 cases of the official jsonpath-compliance-test-suite. **Added:** *`b.jsonPath.query(doc, path)` / `b.jsonPath.paths(doc, path)`* — `query` returns the array of node values selected by an RFC 9535 JSONPath; `paths` returns the normalized-path string of each match (e.g. `$['a'][1]['p']`). Supports every selector (name, wildcard `*`, index incl. negative, slice `start:end:step` incl. negative step, comma-separated selections), child and descendant (`..`) segments, and filter expressions with `==` / `!=` / `<` / `<=` / `>` / `>=`, `&&` / `||` / `!`, existence tests, and the standard functions. The well-typedness rules are checked when the path is compiled — a non-singular query used as a comparison operand, an ill-typed function argument, or a value-typed function used as a test all throw `json-path/invalid`. Pairs with `b.guardJsonPath`, which screens operator-supplied path strings before they reach the evaluator.

package/README.md

@@ -100,6 +100,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **HPKE / HTTP signatures** — RFC 9180 HPKE with ML-KEM-1024 + HKDF-SHA3-512 + ChaCha20-Poly1305 (`b.crypto.hpke`); RFC 9421 HTTP Message Signatures with derived components and ed25519 / ML-DSA-65 (`b.crypto.httpSig`); RFC 9530 Content-Digest / Repr-Digest body-integrity fields (SHA-256 / SHA-512, legacy algorithms refused — `b.contentDigest`) to sign the digest rather than the whole body
 - **Link header** — RFC 8288 Web Linking codec (`b.linkHeader.parse` / `serialize`): parse and build `Link: <uri>; rel="next"` relations, the standard REST pagination mechanism; quote-aware (a comma inside a quoted parameter never splits the list)
 - **JSON Type Definition** — RFC 8927 validation (`b.jtd.validate` / `isValid`): portable, cross-implementation schema validation (all eight forms — type / enum / elements / properties / values / discriminator / ref / empty), returning instancePath / schemaPath errors; validated against the official 316-case suite. Interop companion to the fluent `b.safeSchema` builder
+- **JSON Schema 2020-12** — the OpenAPI 3.1 dialect (`b.jsonSchema.compile` / `validate` / `isValid`): full vocabulary including every applicator, annotation-aware `unevaluatedProperties` / `unevaluatedItems`, and `$ref` / `$dynamicRef` / `$anchor` / `$id` resolution (external refs via an operator-supplied schema map, never a network fetch); `format` is an annotation unless `assertFormat` is set; returns located `{ valid, errors }`. Validated against the official JSON-Schema-Test-Suite. Standards-track counterpart to `b.safeSchema` and `b.jtd`
 - **JSONPath** — full RFC 9535 query evaluator (`b.jsonPath.query` / `paths`): name / wildcard / index / slice / descendant selectors, `?filter` expressions, and the five standard functions, with compile-time well-typedness checks (validated against the official 703-case compliance suite); complements the JSONPath guards
 - **JSON Pointer / Patch** — RFC 6901 `b.jsonPointer.get` (reference a value by `/foo/0/bar`) + RFC 6902 `b.jsonPatch.apply` (atomic add / remove / replace / move / copy / test for HTTP PATCH; the input document is never mutated, structural `test` comparison) + RFC 7396 `b.jsonMergePatch.merge` (the `merge-patch+json` partial-document format; both PATCH formats are prototype-pollution-safe)
 - **Canonical JSON** — RFC 8785 JSON Canonicalization Scheme (`b.canonicalJson.stringifyJcs`): the deterministic, sorted-key byte form to hash or sign (custom credentials, receipts, deterministic request signing); UTF-16 key ordering + ECMAScript number formatting, with a lenient `stringify` variant for Buffers / Dates / BigInts
@@ -158,7 +159,7 @@ The framework bundles the surface a typical Node app reaches for. Every primitiv
 - **WebSockets (server)** — channel/room fan-out across cluster replicas; RFC 6455 §5.5 control-frame size + FIN enforcement on inbound (defends 1 MiB-PING-as-PONG amplification) (`b.websocket`, `b.websocketChannels`)
 - **WebSockets (client)** — `b.wsClient` with PQC-TLS handshake, permessage-deflate negotiation with decompression-bomb cap, fatal UTF-8 validation, permanent-error classifier (skips reconnect on 4xx / accept mismatch / bad-subprotocol), exponential-backoff with full jitter
 - **Pub/sub + events** — distributed pub/sub with cluster-table / Redis PUB/SUB / custom backends (`b.pubsub`); framework-emitted signal bus for breach / integrity events (`b.events`)
-- **CloudEvents + SSE** — CloudEvents 1.0 envelope for AWS EventBridge / Knative / Azure Event Grid / Google Eventarc / CNCF (`b.cloudEvents`); Server-Sent Events with newline-injection refusal in `event:` / `id:` / `data:` / `Last-Event-ID` (CVE-2026-33128 / 29085 / 44217 class) (`b.sse`, `b.middleware.sse`)
+- **CloudEvents + SSE** — CloudEvents 1.0.2 for AWS EventBridge / Knative / Azure Event Grid / Google Eventarc / CNCF: `wrap` / `parse` envelopes, non-throwing `validate` / `isValid`, the JSON event + batch formats (`toJSON` / `fromJSON` / `toJSONBatch` / `fromJSONBatch`), and the HTTP binding in both binary and structured content modes with auto-detecting `http.decode` (`b.cloudEvents`); Server-Sent Events with newline-injection refusal in `event:` / `id:` / `data:` / `Last-Event-ID` (CVE-2026-33128 / 29085 / 44217 class) (`b.sse`, `b.middleware.sse`)
 - **Mail (outbound)** — multipart + attachments + DKIM + calendar invites; bounce intake (`b.mail`, `b.mailBounce`)
 - **Mail (outbound delivery)** — turnkey MX-lookup → MTA-STS-fetch → DANE-TLSA → REQUIRETLS handshake → SMTP wire layer → RFC 3464 DSN-on-permanent-failure → deferred-retry scheduling, all wired once (`b.mail.send.deliver`)
 - **Mail (inbound auth)** — SPF / DMARC / ARC verify + ARC chain signing for relays (`b.mail.spf`, `b.mail.dmarc`, `b.mail.arc`)

package/index.js

@@ -403,6 +403,7 @@ var jsonPatch = require("./lib/json-patch");
 var jsonMergePatch = require("./lib/json-merge-patch");
 var jsonPath = require("./lib/json-path");
 var jtd = require("./lib/jtd");
+var jsonSchema = require("./lib/json-schema");
 var standardWebhooks = require("./lib/standard-webhooks");
 var lro = require("./lib/lro");
 var jsonApi = require("./lib/jsonapi");
@@ -427,6 +428,7 @@ module.exports = {
   jsonMergePatch:   jsonMergePatch,
   jsonPath:         jsonPath,
   jtd:              jtd,
+  jsonSchema:       jsonSchema,
   standardWebhooks: standardWebhooks,
   lro:              lro,
   jsonApi:          jsonApi,

package/lib/backup/manifest.js

@@ -95,7 +95,7 @@ var VALID_KINDS = { "raw": 1, "vault-sealed": 1, "plaintext": 1 };
 // in the manifest, so the hex string is 128 chars long.
 var SHA3_512_HEX_LENGTH = 128;
 var HEX_RE = safeBuffer.HEX_RE;
-var BASE64_RE = /^[A-Za-z0-9+/]*={0,2}$/;
+var BASE64_RE = safeBuffer.BASE64_RE;
 
 function _isHex(s, evenLength) {
   if (typeof s !== "string" || s.length === 0) return false;

package/lib/cloud-events.js

@@ -36,11 +36,16 @@
 
 var nodeCrypto = require("node:crypto");
 var validateOpts = require("./validate-opts");
+var rfc3339 = require("./rfc3339");
+var safeJson = require("./safe-json");
+var safeBuffer = require("./safe-buffer");
+var C = require("./constants");
 var { defineClass } = require("./framework-error");
 
 var CloudEventsError = defineClass("CloudEventsError", { alwaysPermanent: true });
 
 var SPECVERSION = "1.0";
+var DEFAULT_MAX_BYTES = C.BYTES.mib(1);   // fromJSON / http.decode input cap
 
 // CloudEvents §3.1 — required string attributes.
 var REQUIRED_ATTRS = ["id", "source", "specversion", "type"];
@@ -268,9 +273,459 @@ function parse(envelope) {
   };
 }
 
+// ---- validate / isValid (non-throwing spec check) ----
+
+var INT_MIN = -2147483648;                                  // allow:raw-byte-literal — CloudEvents Integer type range
+var INT_MAX = 2147483647;                                   // allow:raw-byte-literal — CloudEvents Integer type range
+// JSON-formatted media type essence (after the parameters are stripped):
+// type/json or type/anything+json. Each run is bounded by the single "/"
+// separator so the match is linear (no overlapping quantifiers → no
+// polynomial backtracking on hostile media-type strings).
+var JSON_MEDIA_RE = /^[^/]+\/(?:[^/]+\+)?json$/i;
+// Extension name MUST be lowercase ASCII alnum (the §3.1 ≤20 length is a
+// SHOULD, so validate enforces only the MUST; wrap is stricter on emit).
+var VALIDATE_EXT_NAME_RE = /^[a-z0-9]+$/;
+
+function _isPlainObject(v) { return v !== null && typeof v === "object" && !Array.isArray(v) && !Buffer.isBuffer(v); }
+function _isNonEmptyString(v) { return typeof v === "string" && v.length > 0; }
+function _isCanonicalBase64(s) { return typeof s === "string" && s.length % 4 === 0 && safeBuffer.BASE64_RE.test(s); }
+function _isJsonMedia(ct) {
+  if (ct == null) return true;   // absent datacontenttype defaults to application/json
+  var essence = String(ct).split(";")[0].trim();   // drop media-type parameters
+  return JSON_MEDIA_RE.test(essence);   // allow:regex-no-length-cap — slash-bounded classes, linear match
+}
+
+function _extIssue(name, v) {
+  if (v === null) return null;
+  if (typeof v === "string" || typeof v === "boolean") return null;
+  if (typeof v === "number") {
+    if (!isFinite(v) || Math.floor(v) !== v) return "extension '" + name + "' must be an integer (CloudEvents has no float type)";
+    if (v < INT_MIN || v > INT_MAX) return "extension '" + name + "' integer out of 32-bit range";
+    return null;
+  }
+  return "extension '" + name + "' must be a string, integer, or boolean";
+}
+
+/**
+ * @primitive b.cloudEvents.validate
+ * @signature b.cloudEvents.validate(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.parse, b.cloudEvents.fromJSON
+ *
+ * Check an in-memory CloudEvents v1.0 envelope against the §3.1 spec and
+ * return an array of <code>{ attribute, message }</code> issues — an empty
+ * array means the event is conformant. Unlike <code>parse</code> (which
+ * throws and decodes), this never throws, so it suits inspecting events of
+ * unknown provenance before deciding what to do with them.
+ *
+ * @example
+ *   b.cloudEvents.validate({ specversion: "1.0", id: "1",
+ *     source: "/x", type: "com.example.t" });
+ *   // → []
+ */
+function validate(event) {
+  var issues = [];
+  function bad(attribute, message) { issues.push({ attribute: attribute, message: message }); }
+  if (!_isPlainObject(event)) { bad("", "event must be an object"); return issues; }
+
+  if (event.specversion !== SPECVERSION) bad("specversion", "specversion must be the string \"" + SPECVERSION + "\"");
+  if (!_isNonEmptyString(event.id)) bad("id", "id must be a non-empty string");
+  if (!_isNonEmptyString(event.source)) bad("source", "source must be a non-empty URI-reference string");
+  if (!_isNonEmptyString(event.type)) bad("type", "type must be a non-empty string");
+
+  if (event.datacontenttype != null && !_isNonEmptyString(event.datacontenttype)) bad("datacontenttype", "datacontenttype, if present, must be a non-empty string");
+  if (event.dataschema != null && !_isNonEmptyString(event.dataschema)) bad("dataschema", "dataschema, if present, must be a non-empty URI string");
+  if (event.subject != null && !_isNonEmptyString(event.subject)) bad("subject", "subject, if present, must be a non-empty string");
+  if (event.time != null && !rfc3339.isValidDateTime(event.time)) bad("time", "time, if present, must be an RFC 3339 date-time");
+
+  if (Object.prototype.hasOwnProperty.call(event, "data") && Object.prototype.hasOwnProperty.call(event, "data_base64")) {
+    bad("data", "data and data_base64 are mutually exclusive (CloudEvents §3.1.1)");
+  }
+  if (event.data_base64 != null && !_isCanonicalBase64(event.data_base64)) bad("data_base64", "data_base64 must be canonical RFC 4648 base64");
+
+  Object.keys(event).forEach(function (k) {
+    if (REQUIRED_ATTRS.indexOf(k) !== -1 || KNOWN_OPTIONAL_ATTRS[k]) return;
+    if (!VALIDATE_EXT_NAME_RE.test(k)) { bad(k, "attribute name must match [a-z0-9]+ (lower-case letters and digits)"); return; }   // allow:regex-no-length-cap — linear class, key bounded by maxBytes
+    var ei = _extIssue(k, event[k]);
+    if (ei) bad(k, ei);
+  });
+  return issues;
+}
+
+/**
+ * @primitive b.cloudEvents.isValid
+ * @signature b.cloudEvents.isValid(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.validate
+ *
+ * Boolean convenience form of <code>validate</code> — <code>true</code>
+ * when the event has zero conformance issues.
+ *
+ * @example
+ *   b.cloudEvents.isValid(evt);   // → true
+ */
+function isValid(event) { return validate(event).length === 0; }
+
+function _assertValid(event, label) {
+  var issues = validate(event);
+  if (issues.length) {
+    throw new CloudEventsError("cloud-events/invalid",
+      label + ": " + issues.map(function (i) { return i.message; }).join("; "));
+  }
+}
+
+// ---- JSON event format ----
+
+/**
+ * @primitive b.cloudEvents.toJSON
+ * @signature b.cloudEvents.toJSON(event, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.fromJSON, b.cloudEvents.toJSONBatch
+ *
+ * Serialize a CloudEvents envelope (as produced by <code>wrap</code>) to a
+ * JSON event-format string — media type
+ * <code>application/cloudevents+json</code>. The envelope is already in
+ * wire shape (JSON <code>data</code> inline, binary as a
+ * <code>data_base64</code> string), so this validates it and renders the
+ * JSON. Throws <code>CloudEventsError</code> on a non-conformant event.
+ *
+ * @opts
+ *   space:   number | string,   // JSON.stringify indentation (default: none)
+ *
+ * @example
+ *   var json = b.cloudEvents.toJSON(b.cloudEvents.wrap({ source: "/x", type: "t" }));
+ */
+function toJSON(event, opts) {
+  opts = opts || {};
+  _assertValid(event, "cloudEvents.toJSON");
+  return JSON.stringify(event, null, opts.space);
+}
+
+function _coerceInput(input, label, maxBytes) {
+  if (!Buffer.isBuffer(input) && typeof input !== "string") {
+    throw new CloudEventsError("cloud-events/bad-input", label + ": input must be a string or Buffer");
+  }
+  try {
+    return safeJson.parse(input, { maxBytes: maxBytes });
+  } catch (e) {
+    if (e && e.code === "json/too-large") throw new CloudEventsError("cloud-events/too-large", label + ": input exceeds maxBytes (" + maxBytes + ")");
+    throw new CloudEventsError("cloud-events/bad-json", label + ": body is not valid JSON");
+  }
+}
+
+/**
+ * @primitive b.cloudEvents.fromJSON
+ * @signature b.cloudEvents.fromJSON(input, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.toJSON, b.cloudEvents.parse
+ *
+ * Parse a single JSON event-format document (string or Buffer) into a
+ * validated CloudEvents envelope. Untrusted bytes route through the
+ * framework's bounded, prototype-pollution-safe JSON reader. The envelope
+ * is returned in wire shape (binary stays a <code>data_base64</code>
+ * string); call <code>parse</code> instead when you want the
+ * Buffer-decoded record. Throws <code>CloudEventsError</code> on malformed
+ * or non-conformant input.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger inputs
+ *
+ * @example
+ *   var evt = b.cloudEvents.fromJSON(req.rawBody);
+ */
+function fromJSON(input, opts) {
+  opts = opts || {};
+  var maxBytes = opts.maxBytes == null ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var obj = _coerceInput(input, "cloudEvents.fromJSON", maxBytes);
+  if (!_isPlainObject(obj)) throw new CloudEventsError("cloud-events/invalid", "cloudEvents.fromJSON: event must be a JSON object");
+  _assertValid(obj, "cloudEvents.fromJSON");
+  return obj;
+}
+
+/**
+ * @primitive b.cloudEvents.toJSONBatch
+ * @signature b.cloudEvents.toJSONBatch(events, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.fromJSONBatch, b.cloudEvents.toJSON
+ *
+ * Serialize an array of CloudEvents envelopes to the JSON batch format
+ * (media type <code>application/cloudevents-batch+json</code>) — a JSON
+ * array of events, each rendered as by <code>toJSON</code>. An empty array
+ * yields <code>"[]"</code>.
+ *
+ * @opts
+ *   space:   number | string,   // JSON.stringify indentation (default: none)
+ *
+ * @example
+ *   var body = b.cloudEvents.toJSONBatch([evtA, evtB]);
+ */
+function toJSONBatch(events, opts) {
+  opts = opts || {};
+  if (!Array.isArray(events)) throw new CloudEventsError("cloud-events/bad-input", "cloudEvents.toJSONBatch: events must be an array");
+  events.forEach(function (event, idx) { _assertValid(event, "cloudEvents.toJSONBatch: event[" + idx + "]"); });
+  return JSON.stringify(events, null, opts.space);
+}
+
+/**
+ * @primitive b.cloudEvents.fromJSONBatch
+ * @signature b.cloudEvents.fromJSONBatch(input, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.toJSONBatch, b.cloudEvents.fromJSON
+ *
+ * Parse a JSON batch (a JSON array of events) from a string or Buffer into
+ * an array of validated CloudEvents envelopes. Each element is validated as
+ * by <code>fromJSON</code>; an empty array is valid. A non-array body,
+ * over-size input, or any non-conformant element throws
+ * <code>CloudEventsError</code>.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger inputs
+ *
+ * @example
+ *   var events = b.cloudEvents.fromJSONBatch(req.rawBody);
+ */
+function fromJSONBatch(input, opts) {
+  opts = opts || {};
+  var maxBytes = opts.maxBytes == null ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var arr = _coerceInput(input, "cloudEvents.fromJSONBatch", maxBytes);
+  if (!Array.isArray(arr)) throw new CloudEventsError("cloud-events/invalid", "cloudEvents.fromJSONBatch: body must be a JSON array");
+  arr.forEach(function (obj, idx) {
+    if (!_isPlainObject(obj)) throw new CloudEventsError("cloud-events/invalid", "cloudEvents.fromJSONBatch: event[" + idx + "] must be a JSON object");
+    _assertValid(obj, "cloudEvents.fromJSONBatch: event[" + idx + "]");
+  });
+  return arr;
+}
+
+// ---- HTTP protocol binding ----
+
+var STRUCTURED_CT = "application/cloudevents+json; charset=UTF-8";
+var BATCH_CT = "application/cloudevents-batch+json; charset=UTF-8";
+
+// Percent-encode a header value: everything outside printable ASCII plus
+// the spec-named space / double-quote / percent (HTTP binding §3.1). `s` is
+// always the already-stringified value from _headerValueFor.
+function _pctEncode(s) {
+  var bytes = Buffer.from(s, "utf8");
+  var out = "";
+  for (var i = 0; i < bytes.length; i += 1) {
+    var by = bytes[i];
+    if (by < 0x21 || by > 0x7E || by === 0x22 || by === 0x25) {   // allow:raw-byte-literal — printable-ASCII bounds + double-quote and percent (HTTP binding header rule)
+      out += "%" + bytes[i].toString(16).toUpperCase().padStart(2, "0");   // allow:raw-byte-literal — 16 is the hex radix
+    } else {
+      out += String.fromCharCode(by);
+    }
+  }
+  return out;
+}
+function _pctDecode(s) {
+  var bytes = [];
+  var i = 0;
+  while (i < s.length) {
+    if (s[i] === "%" && /^[0-9A-Fa-f]{2}$/.test(s.slice(i + 1, i + 3))) {
+      bytes.push(parseInt(s.slice(i + 1, i + 3), 16));   // allow:raw-byte-literal — 16 is the hex radix
+      i += 3;
+    } else {
+      var ch = Buffer.from(s[i], "utf8");
+      for (var j = 0; j < ch.length; j += 1) bytes.push(ch[j]);
+      i += 1;
+    }
+  }
+  return Buffer.from(bytes).toString("utf8");
+}
+function _headerValueFor(v) { return typeof v === "boolean" ? (v ? "true" : "false") : String(v); }
+function _lowerHeaders(headers) {
+  var out = {};
+  Object.keys(headers || {}).forEach(function (k) {
+    var v = headers[k];
+    out[k.toLowerCase()] = Array.isArray(v) ? v.join(",") : v;
+  });
+  return out;
+}
+
+/**
+ * @primitive b.cloudEvents.http.encodeBinary
+ * @signature b.cloudEvents.http.encodeBinary(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.http.encodeStructured
+ *
+ * Render a CloudEvents envelope in HTTP <em>binary</em> content mode: each
+ * context attribute (and extension) becomes a <code>ce-</code>-prefixed
+ * header with a percent-encoded value, <code>datacontenttype</code> maps to
+ * the plain <code>Content-Type</code> header (never
+ * <code>ce-datacontenttype</code>), and the payload becomes the body.
+ * Returns <code>{ headers, body }</code> where <code>body</code> is a
+ * Buffer (for <code>data_base64</code> payloads) or a string.
+ *
+ * @example
+ *   var enc = b.cloudEvents.http.encodeBinary(evt);
+ *   // enc.headers["ce-id"], enc.headers["content-type"], enc.body
+ */
+function encodeBinary(event) {
+  _assertValid(event, "cloudEvents.http.encodeBinary");
+  var headers = {};
+  Object.keys(event).forEach(function (k) {
+    if (k === "data" || k === "data_base64" || k === "datacontenttype") return;
+    if (event[k] === undefined || event[k] === null) return;
+    headers["ce-" + k] = _pctEncode(_headerValueFor(event[k]));
+  });
+  var body;
+  if (event.data_base64 != null) {
+    body = Buffer.from(event.data_base64, "base64");
+  } else if (Object.prototype.hasOwnProperty.call(event, "data")) {
+    // JSON-media payloads (including a bare string under application/json or
+    // an absent content type, which defaults to JSON) must be JSON-encoded
+    // so the body re-parses; a non-JSON media type carries the string as-is.
+    if (_isJsonMedia(event.datacontenttype)) body = JSON.stringify(event.data);
+    else body = typeof event.data === "string" ? event.data : JSON.stringify(event.data);
+  } else body = "";
+  if (event.datacontenttype != null) headers["content-type"] = event.datacontenttype;
+  else if (_isPlainObject(event.data) || Array.isArray(event.data)) headers["content-type"] = "application/json";
+  return { headers: headers, body: body };
+}
+
+/**
+ * @primitive b.cloudEvents.http.encodeStructured
+ * @signature b.cloudEvents.http.encodeStructured(event)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.http.encodeBinary
+ *
+ * Render a CloudEvents envelope in HTTP <em>structured</em> content mode:
+ * the whole event is serialized via the JSON event format into the body,
+ * with <code>Content-Type: application/cloudevents+json</code>. Returns
+ * <code>{ headers, body }</code>.
+ *
+ * @example
+ *   var enc = b.cloudEvents.http.encodeStructured(evt);
+ */
+function encodeStructured(event) {
+  return { headers: { "content-type": STRUCTURED_CT }, body: toJSON(event) };
+}
+
+/**
+ * @primitive b.cloudEvents.http.encodeBatch
+ * @signature b.cloudEvents.http.encodeBatch(events)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.toJSONBatch
+ *
+ * Render an array of CloudEvents in HTTP <em>batched</em> content mode: the
+ * JSON batch format in the body with <code>Content-Type:
+ * application/cloudevents-batch+json</code>. Returns
+ * <code>{ headers, body }</code>.
+ *
+ * @example
+ *   var enc = b.cloudEvents.http.encodeBatch([evtA, evtB]);
+ */
+function encodeBatch(events) {
+  return { headers: { "content-type": BATCH_CT }, body: toJSONBatch(events) };
+}
+
+/**
+ * @primitive b.cloudEvents.http.decodeBinary
+ * @signature b.cloudEvents.http.decodeBinary(headers, body, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decode, b.cloudEvents.http.encodeBinary
+ *
+ * Parse an HTTP binary-mode request into a CloudEvents envelope. Headers are
+ * matched case-insensitively; each <code>ce-*</code> header is
+ * percent-decoded into the matching attribute, <code>Content-Type</code>
+ * becomes <code>datacontenttype</code>, and the body becomes the payload
+ * (parsed as JSON when the content type is JSON, kept as a
+ * <code>data_base64</code> string for opaque bytes). The result is
+ * validated. Binary-mode header values are strings, so extension types
+ * other than String are not recovered.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger bodies
+ *
+ * @example
+ *   var evt = b.cloudEvents.http.decodeBinary(req.headers, req.rawBody);
+ */
+function decodeBinary(headers, body, opts) {
+  opts = opts || {};
+  var maxBytes = opts.maxBytes == null ? DEFAULT_MAX_BYTES : opts.maxBytes;
+  var h = _lowerHeaders(headers);
+  var event = {};
+  Object.keys(h).forEach(function (k) {
+    if (k.indexOf("ce-") !== 0) return;
+    event[k.slice(3)] = _pctDecode(String(h[k]));
+  });
+  var ct = h["content-type"] != null ? h["content-type"] : null;
+  if (ct != null) event.datacontenttype = ct;
+  var raw;
+  if (body == null) raw = Buffer.alloc(0);
+  else if (Buffer.isBuffer(body)) raw = body;
+  else if (typeof body === "string") raw = Buffer.from(body, "utf8");
+  else throw new CloudEventsError("cloud-events/bad-input", "cloudEvents.http.decodeBinary: body must be a string or Buffer");
+  if (raw.length > maxBytes) throw new CloudEventsError("cloud-events/too-large", "cloudEvents.http.decodeBinary: body exceeds maxBytes (" + maxBytes + ")");
+  if (raw.length > 0) {
+    if (_isJsonMedia(ct)) {
+      try { event.data = safeJson.parse(raw, { maxBytes: maxBytes }); }
+      catch (_e) { throw new CloudEventsError("cloud-events/bad-json", "cloudEvents.http.decodeBinary: JSON body is not valid JSON"); }
+    } else if (typeof ct === "string" && /^text\//i.test(ct)) {
+      event.data = raw.toString("utf8");
+    } else {
+      event.data_base64 = raw.toString("base64");
+    }
+  }
+  _assertValid(event, "cloudEvents.http.decodeBinary");
+  return event;
+}
+
+/**
+ * @primitive b.cloudEvents.http.decode
+ * @signature b.cloudEvents.http.decode(headers, body, opts?)
+ * @since     0.12.63
+ * @status    stable
+ * @related   b.cloudEvents.http.decodeBinary, b.cloudEvents.http.encodeStructured
+ *
+ * Parse an HTTP request into a CloudEvents envelope (or array, for a batch),
+ * auto-detecting the content mode exactly as a conformant receiver does: a
+ * <code>Content-Type</code> beginning
+ * <code>application/cloudevents-batch</code> is batched, one beginning
+ * <code>application/cloudevents</code> is structured, and anything else is
+ * binary mode. Returns a single envelope for binary/structured modes and an
+ * array for batched mode.
+ *
+ * @opts
+ *   maxBytes:   number,   // default: 1 MiB — reject larger bodies
+ *
+ * @example
+ *   var evt = b.cloudEvents.http.decode(req.headers, req.rawBody);
+ */
+function decode(headers, body, opts) {
+  var h = _lowerHeaders(headers);
+  var ct = (h["content-type"] != null ? h["content-type"] : "") || "";
+  if (/^application\/cloudevents-batch\b/i.test(ct)) return fromJSONBatch(body, opts);
+  if (/^application\/cloudevents\b/i.test(ct)) return fromJSON(body, opts);
+  return decodeBinary(headers, body, opts);
+}
+
 module.exports = {
   wrap:             wrap,
   parse:            parse,
+  validate:         validate,
+  isValid:          isValid,
+  toJSON:           toJSON,
+  fromJSON:         fromJSON,
+  toJSONBatch:      toJSONBatch,
+  fromJSONBatch:    fromJSONBatch,
+  http: {
+    encodeBinary:     encodeBinary,
+    encodeStructured: encodeStructured,
+    encodeBatch:      encodeBatch,
+    decodeBinary:     decodeBinary,
+    decode:           decode,
+  },
   SPECVERSION:      SPECVERSION,
   REQUIRED_ATTRS:   REQUIRED_ATTRS,
   CloudEventsError: CloudEventsError,

package/lib/csp.js

@@ -67,9 +67,10 @@ var ALL_DIRECTIVES = [
   "default-src", "script-src", "script-src-elem", "script-src-attr",
   "style-src", "style-src-elem", "style-src-attr",
   "img-src", "media-src", "font-src", "connect-src", "object-src",
-  "frame-src", "child-src", "worker-src", "manifest-src", "prefetch-src",
+  "frame-src", "child-src", "worker-src", "fenced-frame-src",
+  "manifest-src", "prefetch-src",
   "form-action", "frame-ancestors", "navigate-to", "base-uri", "sandbox",
-  "report-to", "report-uri",
+  "webrtc", "report-to", "report-uri",
   "require-trusted-types-for", "trusted-types",
   "upgrade-insecure-requests", "block-all-mixed-content",
 ];